Law firm adds privacy protection via email encryption

Law firms have commonly relied on confidentiality statements at the end of emails to ensure privacy, but firms are starting to move in the direction of data encryption to secure sensitive information.

Foster Swift said it has implemented Zix Email Encryption software, which was developed by ZixCorp of Dallas, Texas, as an added step in data security.

Foster Swift has offices in Lansing, Detroit, Farmington Hills, Grand Rapids and Holland, and employs 90 attorneys.

John Bonandrini, director of information technology at Foster Swift, said there are a handful of industries with which the firm works that require specific privacy compliance, which was one reason the firm decided to implement data encryption.

Bonandrini said HIPAA laws were updated a year and a half ago to require law firms to protect information in the same manner as doctors or hospitals. He noted there are specific privacy regulations that apply to the financial services, insurance and real estate industries.

“We do a lot of real estate, banking, insurance and health care, and those are industries that have strict regulations on the books about privacy,” he said.

Bonandrini said he believes the legal industry also is headed in the direction where encrypted email could soon become a requirement.

“I’ve been reading some opinions from bar associations about the possibility in the future of all client information needing to be encrypted or secured,” he said. “It may or may not happen, but it’s the path the legal industry is on, and I wanted to be out there before it was determined that we had to do it so all of our users and clients are prepared.”

Bonandrini said a survey conducted by the International Legal Technology Association showed use of encrypted email by law firms jumped from 23 percent in 2014 to 53 percent in 2015. He said among law firms with 50 to 159 attorneys, the number moved from the single digits to 30 percent in the past year.

He said adding Zix Email Encryption was mostly seamless for Foster Swift because many clients already use the software.

“Our attorneys and clients can exchange encrypted email from end-to-end without having to do anything special,” he said. “They send and receive it just like a normal email.

“Seventy-five to 80 percent of our business emails will go straight to the other side just like a normal email.”

Bonandrini said even for clients without Zix, the process is user friendly.

“The other 25 percent, they get an email that says, ‘You’ve been sent an email encrypted by Zix; please click here to download it,’” he said.

“They click, and it takes them to a branded website — a Zix site branded with our logo. The user creates a login and password one time, and then the system remembers their computer, login and password, and any future communication still comes in as an email. They still click, but then it will open the email in a browser. So after the first time, it becomes a one-click mechanism for the browser.”

Not all emails require encryption; the Zix software allows the sender to decide whether or not to encrypt the email.

Bonandrini said there are three ways to enable encryption in an email.

First, when the email is being sent through Outlook, in addition to the “Send” button, there is an “Encrypt and Send” button, so the sender can choose to encrypt the email by selecting that option.

Second, the software has a feature similar to scanning for viruses or spam that attempts to catch any outgoing emails that should have been encrypted.

“The system scans, and it has an algorithm that tries to identify Social Security numbers, bank account numbers and keywords that indicate medical protected information,” he said. “If an email meets any of those criteria, it will automatically encrypt it. So it acts as a backstop. Even if someone makes a mistake, the email still gets caught and encrypted.”

Third, when someone is sending an email from a mobile device, web app or another option outside of Outlook, Bonandrini said the sender can enter the word “encrypt” in the subject line of the email, and the system will encrypt the email.

Bonandrini said adding email encryption ties in with the firm’s larger security focus.

“It’s critical we protect client information,” he said.